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We study two notions of expressiveness, which have appeared in abstraction theory for model check- 
ing, and find them incomparable in general. In particular, we show that according to the most widely 
used notion, the class of Kripke Modal Transition Systems is strictly less expressive than the class 
of Generalised Kripke Modal Transition Systems (a generalised variant of Kripke Modal Transition 
Systems equipped with hypertransitions). Furthermore, we investigate the ability of an abstraction 
framework to prove a formula with a finite abstract model, a property known as completeness. We ad- 
dress the issue of completeness from a general perspective: the way it depends on certain abstraction 
parameters, as well as its relationship with expressiveness. 

1 Introduction 

Model checking Q is one of the key technologies for formal software verification. Given a model of a 
program or a process and a specification of the required behaviour in the form of a logical formula, a 
model checker can automatically verify whether the model satisfies the specification. A model checker 
typically explores the entire state space of a program. Such a state space is enormous in most practical 
applications. 

Abstract interpretation 13 is among the most important techniques designed to handle the state 
space explosion problem, making many instances of the model checking problem tractable. It works 
by approximating the artefacts of the original model, the so-called concrete model, by simpler abstract 
objects. A model transformed in this way has a smaller abstract state space. The loss of detail in this 
model may allow a model checker to successfully verify the property, but it can also give rise to an 
inconclusive answer. The cause of the inconclusive answer may be resolved by successive refinements 
of the abstraction [4], leading to finer-grained abstract models. 

Assuming that, as most works on abstraction do, concrete models are modelled by Kripke Structures, 
we investigate two key properties of abstraction formalisms for Kripke Structures. First, we study the 
expressiveness of the formalism. This gives us the information about the classes of concrete structures 
that can be described by abstract models. Second, we study the completeness of the formalism. In 
abstraction, completeness is the degree to which properties of a concrete model can be proved using a 
finite abstraction. 

A systematic survey of the literature reveals that there is an abundance of different abstraction for- 
malisms for Kripke Structures. Kripke Structures equipped with the usual simulation relation themselves 
form one of the first studied abstraction formalisms, but their power is rather limited. Below, we list the 
most important families of abstraction formalisms: 

1. Modal Transition Systems (MTSs) |[T5l with may and must transitions and a built-in consistency 
requirement, and related formalisms, see e.g. ITU , such as Kripke Modal Transition Systems 
(KMTSs) lfT3l . 

2. Mixed Transition Systems (MixTSs) @, a modelling formalism similar to KMTSs, but with the 
added capability of expressing inconsistent specifications. 
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3. Generalised Kripke Modal Transition Systems (GTSs) [17] with must hypertransitions; similar 
structures were already introduced by Larsen and Xinxin in [16] under the name of Disjunctive 
Transition Systems |[T6l , although there, these structures served a different purpose. 

4. Tree Automata (TA) [ 8 ], the most expressive and complete of all of the listed formalisms. 

In this paper, we mostly restrict ourselves to GTSs and KMTSs. This is because in practice, GTSs 
and KMTSs are the key abstraction formalisms used. Tree Automata, while being the "most complete" 
among the abstraction formalisms, are mainly of theoretical importance due to the complexity of com- 
puting an abstraction using this formalism. 

Expressiveness of abstraction formalisms has been studied before. In fact, Wei et al. lfT9l proved that 
the formalisms from the KMTS family with may and must transitions have the same expressiveness as 
GTSs with must hypertransitions; they claim to: 

"...complete the picture by showing the expressive equivalence between these families." 

At first glance, this seems rather odd: the GTS abstraction formalism is more liberal than any member of 
the KMTS family of abstraction formalisms. While the arguments in |[T9l are sound, a closer inspection 
of their results reveals that their notion of expressiveness can be regarded as non-standard. It is therefore 
not immediately clear whether their results are comparable to the expressiveness results reported by, e.g. 
Godefroid and Jagadeesan in rtTTTl . 

We show that the notion of expressiveness does make a difference: using the notion used by e.g. 
Godefroid and Jagadeesan we conclude that the GTS abstraction formalism is strictly more expressive 
than members of the KMTS family of abstraction formalisms. The expressiveness results claimed by 
Wei et al are therefore likely to become a source of confusion. We henceforth refer to the notion of 
expressiveness used by Wei et al as contextual expressiveness. 

The aforementioned paper lfT9l suggests the expressiveness and completeness of an abstraction for- 
malism are closely related, given the following quote: 

"The work of Godefroid and Jagadeesan, and Gurfinkel and Chechik showed that the models 
in the KMTS family have the same expressive power and are equally precise for SIS. Dams 
and Namjoshi showed that the three families considered in this paper are subsumed by tree 
automata. We completed the picture by proving that the three families are equivalent as well. 
Specifically, we showed that KMTSs, MixTSs and GKMTSs are relatively complete (in the 
sense of [Dams and Namjoshi]) with one another." 

Since Dams and Namjoshi's paper Q to which they refer only studies completeness, we can only con- 
clude that Wei et al consider completeness and expressiveness as equivalent notions. Since they are 
defined in different ways, it is therefore interesting to know the exact relationship between the two, if 
one exists. 

We have been able to establish only a weak link between expressiveness and completeness, namely, 
only when assuming a thorough semantics for logical formulae, more expressive abstraction formalisms 
are more complete. Since in [19], thorough semantics is not used, our findings are not in support of the 
claims in the above quote. 

Finally, we investigate the notion of completeness itself in more detail. For instance, it is known that 
GTSs are complete for the fragment of least-nxpoint free p. -calculus formulae [1]. However, it is not 
known whether those are the only formulae for which GTSs are complete. Our investigations reveal that 
the answer to this open question is ambiguous and depends on the setting that is used. 
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Related work. Expressiveness of modelling formalisms for abstraction has been first studied by Gode- 
froid and Jagadeesan in ifTTl . There, it has been proved that Partial KSs (Kripke structures with possi- 
bly unknown state labels), MTSs (without state labels) and KMTSs are equally expressive. The proof 
consists of defining 3 translations that preserve a variant of mixed simulation called a 'completeness 
preorder'. In lPT2l . Gurfinkel and Chechik have shown that Partial classical Kripke Structures (with each 
atomic proposition either always "true" or "false", or always "maybe" ) are expressively equivalent to 
the above formalisms. Subsequently, Wei, Gurfinkel and Chechik [19] have studied expressiveness in 
the context of a fixed abstraction; we come back to this notion in more detail in Section[3j 

Expressiveness of various modelling formalisms in the context of refinement has been studied in |9|. 
In contrast to our work, the authors consider only deterministic structures as proper concretisations of a 
model. 

Dams and Namjoshi were the first to explicitly address the question whether there are abstraction 
frameworks that are complete for the entire /I -calculus. They answer this question in [7] by introducing 
abstraction based on focused transition systems. In their follow-up work [ 8 ] , they show that these focused 
transition systems are in fact variants of jJ. -automata, enabling a very brief and elegant argument for 
completeness of their framework. 

The GTS/DMTS framework has received a considerable interest from the abstraction community. 
Shoham and Grumberg studied the precision of the framework in ifTHl : Fecher and Shoham, in ifTOl 
used the framework for a more algorithmic approach to abstraction, by performing abstraction in a lazy 
fashion using a variation on parity games. 

Outline. In Section [2| we introduce the abstraction formalisms and the basic mathematical machinery 
needed to understand the remainder of the paper. We investigate the expressiveness of the GTS and 
KMTS abstraction formalisms in Section [3] We then proceed to study completeness in Section [4j there, 
we provide a formal framework that allows to compare completeness of different formalisms, we study 
the relation between completeness and expressiveness and we more accurately characterise the set of 
formulae for which GTSs are complete. We wrap up with concluding remarks and issues for future work 
in Section |5] 

2 Preliminaries 

The first basic ingredient of an abstraction theory is the class of concrete structures representing the 
objects (programs, program models) that we wish to analyse. Throughout this paper, we restrict ourselves 
to the setting where consists of all Kripke Structures (KSs), or possibly some subclasses of KSs (e.g. 
the set of finitely branching Kripke Structures). 

Let AP denote an arbitrary, fixed set of atomic propositions, used to specify properties of states; 
propositions and their negations constitute the set of literals Lit = APu{-ip | p G AP}. Below, we 
recall the definition of Kripke Structures. 

Definition 1 A Kripke Structure is a tuple (S,Sr,R,L) where: 

• S is a set of states, 

• S° C S is a set of initial states 

• R C S x S is the transition relation; 

• L:S — > 2 Llt is a labelling function such that L(s) contains exactly one of p and -ip for all p £ AP. 
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The class of all Kripke Structures is denoted KS. 

The concrete structures are described using abstract models; as a convention, we use symbols J^t* 
to denote classes of abstract models and Mi* for instances of models. We assume that models consist of 
states with a distinguished set of initial states, and additional structural components such as transitions 
and labels. Formally, models are tuples of the form M = (S,S°,E), where £ represents the aforemen- 
tioned structural artefacts. For a given model M, states (M) is the set of states underlying M. The notation 
(M, s) will be used to represent the state s of a model M. We also make the general assumption that ab- 
stract models considered in this paper are finite. 

Properties of concrete and abstract models are expressed using a certain logic L. In case of concrete 
structures, we will use /x-calculus (Jz?^) with its standard semantics. The same logic is used for our 
abstract models; however, for such models, semantics of Jz?^, given by the definition of the satisfaction 
relation by |= a , may vary (e.g. inductive or thorough semantics). Below, we first present the syntax of 
Jzfjj and its semantics for Kripke Structures. 

Definition 2 A ii -calculus formula (in positive form) is a formula generated by the following grammar: 

<p,y/'::=T|_L|/|X'|<pAy/'|<pVy/'| D<p | 0<P | vX. cp | tiX. cp 

where I 6 Lit and Xef for a set of propositional variables Y. The ii and v symbols denote the least 
and greatest fixpoint respectively. The semantics of a formula (p is an inductively defined function [[_]], in 
the context of a Kripke Structure M = (S,So,R,L) and an environment rj:'f — > 2 s assigning sets of states 
to the propositional variables: 

[[TP = S [[!_]]" = 

w = { ses\ieL(s)} [[zp = n(x) 

llxX.yp = Aif/-[[9]] ?1[Z:=C/1 [[VX-9P = vU.M n[X:=U] 

Here, we used the following two abbreviations: 

OU = {s£S\3q£S.sRqAq£U} and (JU = {s £ S \\/q £ S. s R q q £ U} 

In case the formula (p is closed (i.e., does not contain free propositional variables: variables that are not 
bound by a surrounding fixpoint binding the variable), its semantics is independent of the environment 
T7, and we drop tj from the semantic brackets. We say that a closed formula (p is true in a state s G S, 
denoted (M,s) \= (p if s G [<pj; (p is false in s, denoted (M,s) Y= (p if s ^ |<pj. 

The ii -calculus is a highly expressive logic, subsuming temporal logics such as LTL, CTL and CTL*. 
It is capable of expressing safety properties, liveness properties and (complex) fairness properties. Typ- 
ically, least fixpoint subformulae express eventualities, whereas greatest fixpoint subformulae express 
invariance. For instance, the formula vX.{UX A /) expresses that / holds invariantly on all computation 
paths, whereas iiX.({UX A OT) V /) expresses that property / holds eventually on all computation paths. 
By mixing least and greatest fixpoints one can construct (computationally and intuitively) more complex 
formulae such as vX.fiY.({()X A I) V 0^), which expresses that there is a computation path on which / 
holds infinitely often. 
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An essential component of an abstraction formalism is the notion of description, approximation or 
refinement, which provides a link between concrete and abstract structures. Typically, there is a "meta- 
relation" between classes of structures (here denoted with ■<). Such a meta-relation is typically a relation 
on states or languages; for instance, mixed simulation or language containment. 

As already mentioned, the final ingredient of an abstraction formalism is the semantics of the logic on 
abstract models. The abstract semantics should include the definition of both satisfaction (denoted 
with |= a ) and refutation y=- a predicates. Unlike in Kripke Structures, because of the loss of precision 
it might be the case that neither M \= a cp nor M y=- a (p is true for an abstract model M. However, we 
assume that the models are consistent, i.e. for no model M both M \= a (p and M y=- a (p are true. This can 
typically be ensured by imposing a certain syntactic restriction; concretely, in our definitions of GTSs 
and KMTSs, we require that all must transitions are matched by the corresponding may transitions. 

Given an Jz?^ semantics for abstract models, the refinement relation has to meet a soundness property 
(also known as a weak preservation property). That is, we require that whenever (K,sk) p (M,sm) holds 
for some specific states and relation p of type :<, then (M,sm) |= a 9 implies {K,sk} \= cp for every 

<P< 'A- 

Before we give the formal definitions of the GTS and KMTS abstraction frameworks, we formally 
define the notion of an abstraction formalism. 

Definition 3 We define an abstraction formalism & as a quadruple \= a ), where ^ is a class 

of concrete structures (i.e. a subclass of KS); j& is a class of models, ■< is a class of (structural) 
refinement relations between and and |= a specifies the semantics of the logic (/I -calculus) on 
abstract models. 

Below, we define the class of Generalised Kripke Modal Transition Systems (GTSs) ifTTl . The class of 
Kripke Modal Transition Systems (KMTSs) can be viewed as a specialisation of GTSs; in turn, Kripke 
Structures can be considered as a specialisation of KMTSs. 

Definition 4 A Generalised Kripke Modal Transition System (GTS) is a tuple M = {S,S°,R+,R-,L) 
where: 

• S is a set of states, 

• 5° C 5 is a set of initial states, 

• R C 5 x S is the may transition relation, 

• R + C S x 2 s is the must transition relation; we require that s R + A implies s R t for all t € A, 

• L.S — > 2 Llt is a labelling function; we require that L(s) contains at most one of p and -<p for all 
s£S,p£/KP. 

The system M is called a Kripke Modal Transition System (KMTS) if for all s G S,A C S for which s R + A 
we have \A\ = 1. The class of all GTSs will be denoted with GTS and the class of all KMTSs is denoted 
by KMTS. 

Note than an KMTS M can be identified with a Kripke Structure, if for all s, s' G S we have s R + {s'} iff 
s R~ s' and L(s) contains precisely one of p and -<p for all p £ AP. 

The intuition behind a must hypertransition sR + A is that it is guaranteed that there is a transition 
from s to some state in A, but the exact state in A to which this transition leads is not determined upfront, 
offering some extra flexibility. In contrast, the extra condition that is imposed on KMTSs ensures that 
the destination of a must hypertransition is determined. 

Next, we formalise the notion of approximation, or refinement, between concrete and abstract struc- 
tures. The de-facto approximation relation for GTSs is mixed simulation; this approximation relation 



54 



Expressiveness and Completeness in Abstraction 



also appears under the names "completeness preorder" |[TTl l8l and "refinement preorder" |fT9l . Given that 
GTSs generalise Kripke Structures, we define the notion of mixed simulation between abstract structures 
only. 

Definition 5 Let Mi = {Si,tf(,Rf ,Li) and M 2 = (S 2 ,S^,R 2 h ,R 2 ,L 2 ) be two GTSs. A relation H C 
5i x ^2 is a mixed simulation if s\ H s 2 implies 

• Li{si) CLi(ji), 

• if s\ R^ s\, then there exists s' 2 G S 2 such that s 2 R 2 s' 2 and s\ H s' 2 , 

• if s 2 R 2 A 2 , then there exists A\ QS\ such that s\ R± A\ , and for every s \ G A\ there is some s 2 G A 2 
such that s\ H s' 2 . 

We write (M\,s\) < m!r (M 2 ,s 2 ) if si H s 2 for some mixed simulation H. Mixed simulation between 
models M\ and M 2 , denoted M\ < m i x M 2 , holds iff for all initial states s® G S® there is a corresponding 
initial state s 2 G such that (Mi,s^) < mix (M 2 ,s 2 ). 

We proceed to define the standard inductive semantics (SIS) of a ;it -calculus formula in the setting of 
GTSs. This can be done in more than one way; our definition is taken from Shoham and Grumberg [ 18 ]. 

Definition 6 The standard inductive semantics of a formula cp is inductively defined by two functions 
[[_]] tt and [[_]] ff , in the context of a GTS M = (S,R + ,R ,L) and an environment rj-.y — > 2 s assigning 
sets of states to propositional variables: 
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Here, we used the following two abbreviations: 

<)U = {seS\ 3A<ZS. sR+AAACU} and UU = {s G S | Vf G S. sR t t G U} 

In case the formula (p is closed, its semantics is independent of the environment rj , and we drop rj from 
the semantic brackets. A closed formula (p is true in a state s G S, denoted (M,s) \= SIS <p (or simply 
(M,s) |= <p if the setting is clear from the context) if s G [[<p]] tt ; <p is false in s, denoted (M,s) \/= SIS (p 
((M,s) y= <p) if s G [[<p]]f f and it is unknown in 5 otherwise. 

Note that if M is a Kripke structure, it always holds that either (M,s) \= (p or (M,s) ^= (p, and the 
satisfaction relation coincides with the usual semantics for the p. -calculus. 

By abuse of notation, we make GTS also stand for the abstraction formalism (KS, GTS, < m i x , \= SIS ) 
Likewise, we make KMTS stand for the abstraction formalism (KS,KMTS, <mixi \ =SIS )- 

In several works on abstraction |[T9l [T8l , the authors restrict themselves to a particular abstraction 
setting of the form (C,p,S), in which we are given two sets of concrete and abstract objects and a 
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fixed abstraction relation; properties of interest (precision, see [18], consistency but also expressiveness, 
see UUl) are then analysed relatively to such a fixed abstraction relation. The abstraction setting we 
define below formalises the approach of Wei et al. |[T9l ; it differs from [18] in that C is assumed to be a 
set of concrete states without a structure, whereas in ifTHTl it is assumed to be a Kripke Structure. 

Definition 7 An abstraction setting is a pair (J£", (C,p,S)), such that is an abstraction formalism, C 
and 5 are sets, and p C C x S is an approximation relation. 



3 On the Expressiveness of GTSs and KMTSs 



In Section 3.1 we first define the notion of expressiveness, based on the definition of semantics of an 
abstract model that is used by e.g. Godefroid and Jagadeesan in [1 1]. Then, in Section 3.2 we formalise 
the notion of expressiveness used by Wei et al in |fl9ll . 



3.1 Expressiveness 

The expressiveness of an abstraction framework characterises classes of concretisations (refinements, 
implementations), that one is able to capture using abstract models from the framework. The definition 
is clear and intuitive; however, it still depends on the choice of what constitutes the "proper" concrete 
semantics of an abstract model. In most cases ifTTl [T2l [T4l . the latter is defined simply as the class of all 
those Kripke structures that refine a given model. Formally, the definition is as follows: 

Definition 8 Given an abstraction formalism = (^, X, |= a ) the class of concretisations of a state 
{M,s}, where M G ^# is defined as: 

C*[{M,s)] = {(K,s K ) € <*f | (K,s K ) < (M,s)} 

Having fixed the semantics of an abstract model, we may now define the corresponding notion of expres- 
siveness. 

Definition 9 Let &\ = (^,-#1, |=f ) and J^2 = (^,^2,^2,^2) be two abstraction formalisms. 
We say that J^2 is more expressive than denoted &\ Q ex if for all (M\,s\) 6 ^#1 there exists 
(M2,S2) £ ^2 such that Cjr a [(Mi,*i)] = Cjr 2 [(M2,S2)]. We say that is strictly more expressive than 
J^i, denoted <P\ \Z ex if &\ Qex &i and there is some (M 2 ,s 2 } € -#2 such that C^ 2 [(M2,s 2 }] / 
Cjr, [(Mi , Si )] for every (Mi ,s\) e 

Theorem 1 GTSs are strictly more expressive than KMTSs, i.e. KMTS \Z ex GTS. 

Proof: GTSs subsume KMTSs syntactically, and both abstraction formalisms use the same approxima- 
tion relation. Therefore they are at least as expressive as KMTSs, i.e. KMTS Q ex GTS. We will prove 
that they are strictly more expressive than KMTSs by showing that a certain GTS cannot be matched by 
a semantically equivalent KMTS. 

Consider the GTS G depicted below, where L(s) = {a} and L{q) = {^a}\ the labelling is denoted 
with square brackets, the must hypertransitions are depicted by solid transitions pointing to a rectangle 
containing one or more states, whereas dashed arrows are the may transitions. 
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Suppose, towards a contradiction, that for a certain M G KMTS, and a certain state sm of M, we have 
Ckmts[(M, sm)] = Cgts First, observe that for every state qM, reachable from (M,sm), one of 
the following holds: 

1. a G L(<7m) and there is a must transition starting at 

2. -id G L(<7m) and there is no transition starting at qM 

To prove the above, one can show that these two properties, which hold on all (two) reachable states of 
G, are preserved "backwards" by mixed simulation, so they hold in all states of all refinements of (G,s). 
On the other hand, if one of them did not hold in some state of M, then M would have a refinement 
outside Cgts[(G,s)]. 

The next observation is that both states p\ and pi depicted below are valid concretisations of (G,s): 

Pi [a] P2 [a] 

1 

\J Pi ha] 

Let us now focus on M. Since the deadlocked process is not a concretisation of (G,s), there has to be a 
must transition starting in (M,sm) (case 1 above), say, (M , sm)R + {M , s' M ) . Consider two cases: 

1 . If there is a must transition starting at s' M , then p2 is not a concretisation of (M, sm) , a contradiction. 

2. If — 1<3 G L{qM), then p\ is not a concretisation of (M,sm), a contradiction. 

Both cases lead to the desired contradiction. □ 

Note that in the above proof we did not make any assumption on the finiteness of M. That means that the 
GTS G cannot be semantically matched even by an infinite-state KMTS, i.e. our expressiveness result is 
rather robust. 



3.2 Contextual Expressiveness 

We already mentioned that the definition of expressiveness crucially depends on the choice of concreti- 
sations of an abstract model. Apart from taking the entire class, we may consider some restricted sub- 
classes, for instance only deterministic implementations O. 

From the model checking perspective, the most important alternative definition was given in |[T9ll . 
There, properties of an abstraction framework are always considered in the context of a specific abstrac- 
tion, namely a relation p C C x S for some particular sets C and S of concrete and abstract objects, see 
the definition of the abstraction setting. 

Given a model whose states consist of elements of S, we only consider concretisations from the given 
abstraction setting (based on p). The definition below is based on lfl9l . 

Definition 10 Given a fixed abstraction setting (C,p,S)), we define the set of concretisations of a 
state, (M, s), where M G and states(M) C S, in the context of p, as: 

Cjr[(M,s),p] = {(K,sk) G C I states(^f) C C, (K,sk)p(M,s) and p is a refinement relation in the 

sense of ^ between K and M} 

With the semantics of abstract models restricted to the specific instance of abstraction, we automatically 
obtain another notion of expressiveness. The one given in |[T9l is somewhat ambiguous: 

"Two partial modelling formalisms are expressively equivalent if and only if for every tran- 
sition system M from one formalism, there exists a transition system M' from the other, such 
that M and M' are semantically equivalent." 
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The semantic equivalence to which the quote refers means having equal sets of concretisations in the 
context of a specific abstraction (in our terms, the equality of the Cjr[(M, s),p] sets). 

For M, we can assume a specific setting (&,(C,p,S)). However, it is not immediately obvious 
whether there are restrictions on the refinement relation p' with which M' is supposed to match M: can 
it be arbitrary, or should it be in some way related to p? We believe the best way is to allow for an 
arbitrary abstraction setting (C,p',S') for M', with one practical assumption that whenever 5' Pi S ^ 0, 
then p' conservatively extends p on SDS', i.e. {sc | 3s € S' HS.sc p' s} = {sc | 3s £ S' DS.sc p s}. 

The following definition of expressiveness, which we dub contextual expressiveness, so as to avoid 
confusion with the notion of expressiveness we considered in the previous section, is based on |[T9l ; we 
clarify their notion by making the dependence on the abstraction context explicit. 

Definition 11 Let &\ = <\, |=") and &i = (^,-#2, ^2> |=2 ) ^ e *- wo abstraction formalisms. 

Then ^ 2 is contextually more expressive than denoted &\ IZ C ex ^2 if for all abstraction settings 
( , (C, p , S) ) and all model-state pairs (M\ , si) G with states {M\ )CS, there is an abstraction setting 

{3? 2 , {C,p',S')) {M 2 ,s 2 ) E JZz, with states (M 2 ) C S' such that C p [(Mi, si),&i] = C p ,[{M 2 ,s 2 ),<^ 2 }. 

Theorem 2 GTS and KMTS are contextually equally expressive i.e. GTS Q cex KMTS and KMTS C cex 
GTS, see (T5|. 

We believe it is at this point instructive to explain why the GTS we used to prove strictness of expres- 
siveness in the previous section does not work in the setting of contextual expressiveness. For this, we 
consider the transformation GtoK defined in |fl9l , which, given a GTS in a specific abstraction setting 
(C,p,S), produces a contextually equally expressive KMTS. 

We first show that the application of GtoK does not produce an expressively equivalent (in our 
sense) KMTS. For this, we need to define an abstraction setting. Let us consider a very simple one, 
with concrete and abstract sets consisting of two elements, namely C = {sc,qc} an d S = {s,q}, and the 
description relation defined as p = {(sc,s), (qc,q)}- 

Now consider the GTS G from the proof of Thm. [T] The set of concretisations of the state (G,s) in 
the context of p, C p [(G,s),GTS], consists of the following three models: 

sc [a] CZH s c [a] 

I I 
ic [-ia] qc [-■«] 

Next, we consider the transformation GtoK, and apply it to the GTS G from the proof of Thm|T] The 
starting point of the transformation is the KMTS consisting of the same states as the original GTS, 
with every original standard transition (with one state as a target). Then for every true hypertransition 
p R + A, GtoK introduces a new state that mimics the target of the hypertransition p& such that j(pa) = 
Up'eA Y(p')- Finally, the proper may transitions are added to the newly introduced states. This results in 
the following KMTS for our GTS G: 





It is not too hard to check that C p [(G,s), GTS] = C p < [(GtoK(G) , s) , KMTS] , where p' is the abstraction 
relation resulting from the transformation, i.e. p' = {(sc,s), {qc,q), (sc,sq), (qc,sq)}. This means that 
G does not show that GTS is contextually strictly more expressive than KMTS (of course, this could 
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never be the case as the transformation GtoK is used to prove that an arbitrary GTS can be converted 
to a contextually equivalent KMTS). 

On the other hand, the KMTS above is not expressively equivalent to G, because for instance the 
following Kripke structure is a concretisation of GtoK(G): 

[a] q\ >- qi [a] 

From the fact that GTS and KMTS are contextually equally expressive but GTS are strictly more ex- 
pressive than KMTS, it follows that contextual expressiveness does not imply expressiveness in general. 
In fact, if we consider arbitrary abstraction frameworks, these two notions are incomparable. The reason 
is that a certain framework may only allow maximal refinement relations (e.g. only maximal mixed sim- 
ulations) between concrete and abstract models, which will make it less contextually expressive than if 
we allow all possible relations. 

Theorem 3 Expressiveness and contextual expressiveness do not imply one another. 

Proof: For an example showing that contextual expressiveness does not imply expressiveness we can 
use the example of GTSs and KMTSs. 

To prove that the implication does not hold in the other direction as well, we can use frameworks 
based on the same class of models, but different refinement relations. Suppose that &\ is a standard 
KMTS framework with mixed simulation as a meta-refinement relation, and &i differs from &\ in 
that it allows only those mixed simulations that are maximal, for a given concrete and abstract model. 
Clearly, &\ and ^2 are expressively equivalent. On the other hand, they are not equivalent when it 
comes to contextual expressiveness. 

In order to see this, consider a very simple KMTS M al1 depicted below, and its concretisation K. 
Note that both states of M aU abstract the entire class of Kripke structures. 

q\ 4" i\ 

p ! 

K M aU K M aU 

Let us now define an abstraction setting, (J^i, ({qi,q2},P, {^i",^}))' wnere P{li) = S \ U an d 
p{qi) = sf 1 (on the left picture above). It is a valid abstraction setting; indeed, p is a mixed simula- 
tion, so it is a proper refinement in the framework &\. However, p is not a refinement in because 
is is contained the relation {p\,p2] x {^1,^2} (depicted above on the right), which is the only maximal 
mixed simulation between K and M aU . Since this maximal refinement is the only one that we are al- 
lowed to consider as a candidate for p' to match p in concretisations of sf 1 and sf 1 , we observe that it is 
impossible to find a p' with the property that C p [{M a " ,sf) ,&{\ = C p i[{M al1 ,sf Hence &\ and 

#2 are not contextually expressively equivalent. □ 

4 Completeness 

Arguably the most important property of any abstraction formalism is its degree of completeness. We 
will first provide a formal measure of completeness; for a given formalism, it is defined as the set of 
formulae that can be proved with a finite abstract model. 
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Definition 12 Given an abstraction formalism & = ( < ^',^#, <, \= a ). The completeness set of & , de- 
noted compl(^) is defined as follows: 

compl(^) = {(p G | (p is satisfiable and V(K,s K ) G ^ . (£,£*-) |= <p => 
3(M,j m ) G JZ.{K,s k ) < (M,s M ) A (M,j m ) |= a <p} 

Furthermore, we define the relative completeness preorder between abstraction formalisms &\ , as: 

def 

&\ Qcmp &2 <^ compl(J^) C compl(^2) 
Note that we have assumed that all abstract models in ^# are finite. 

4.1 Expressiveness and completeness 

We start by showing some simple facts concerning the relationship between expressiveness and com- 
pleteness. One can observe an implication in one direction, if we assume the setting with thorough 
semantics, i.e. when the satisfaction of a formula by an abstract model depends on whether it is satis- 
fied by all its concretisations. (note that this semantics differs from the standard inductive semantics we 
introduced in Section[2]). 

Definition 13 Given an abstraction formalism ( < ^ 7 , X, |='), we say that |= f is a thorough semantics if 
it is defined as (or satisfies): 

(M,s) K <P V{K,s') G Cjt[(M,j)] • (K,s') |= (p 

Proposition 1 Assuming thorough semantics, expressiveness containment implies relative completeness 
containment. More precisely, if &\ = ( c if,^i,zii,\= t \) and J^2 = (^,^2, ^2, H2)' where Hi an ^ l = 2 
are thorough semantics, then: 

&\ Qex &2 => &\ Qanp &2 

Proof: Take any cp G compl(J^"i), and an arbitrary (K,sk) £ KS such that (K,sk) \= <P- From the fact 
that (p G compl(J£"i) it follows that there exists some (Mi,Ji) G such that {K,sk} G Cjt, [(Mi,Ji)] 
and (Mi,Ji) |=j <p. Because of thorough semantics, we then have \/(K',s') G Cjr, [(Mi,Ji)] . (K' ,s'} |= <p. 

Since J^i C et ^" 2 , there is a model (M2,J2) G such that CjTj [(Mi,ji)] = CjsJ(M2,tf2}]- Because 
of this equality (Mi, si) and (M^,^) satisfy the same formulae under thorough semantics, and hence 
(M2,S2) |=2 <P- Since ^ was chosen arbitrarily, we obtain cp G compl(j^2)- D 

The necessity of a thorough semantics of both formalisms can be understood from the following 
counterexample that shows that, in general, equal expressiveness does not imply equal completeness. 
Take as J^i the standard class of KMTS with inductive semantics and as also KMTSs, but this time 
with a thorough semantics. Since inductive semantics does not preserve thorough semantics, these two 
formalisms have different relative completeness. 

Consider the following example, taken from [11]; the formula dp A ->\3q is false on all refinements 
of the KMTS depicted below, but it is unknown on the KMTS itself. 

\p>q] • ■*• hp>^q] 

Theorem 4 In general, more completeness does not imply more expressiveness, even in formalisms with 
thorough semantics. 
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Proof: Consider two formalisms, consisting of simple KMTSs depicted below (we assume a setting with 
mixed simulation, and inductive or thorough semantics). 

My M2 M3 

Let^i = {M h M 2 } and = {M U M 2 ,M 3 }. We have: compl(^i) = compl(^ 2 ) = {T,0T,D_L} (up 
to semantic equivalence). However, #i is strictly less expressive, because it cannot express the class of 
all Kripke Structures with a single model (as is the case with J^2 and M3). □ 



4.2 Characterisation of completeness sets for GTSs 

The GTS framework is known to be complete for the set of least fixpoint free formulae, see (T). However, 
it is not known whether there are other subsets of for which GTSs are complete, too. In this section, 
we attempt to provide a more accurate characterisation of the completeness set of the GTS framework. 

From hereon, we only consider GTSs or their subclasses with standard inductive semantics of Jz?^. 
By ££p we will denote the fragment of \i -calculus in which only the greatest fixpoint is allowed. 

Let = denote the semantic equivalence of formulae, i.e. (p = y if for every GTS M, M \= SIS (p 44> 
M \= SIS y. For any sublanguage Jzf' C we define the completion of Jz?' with respect to semantic 
equivalence as [jgf]= = {<p G J£f p | 3<p' G J2". <p = <?'}. 

Before we prove our main result, we need to discuss certain technical issues. Inspired by the stan- 
dard "naive" decision procedure for 11 -calculus, that allows one to compute the semantics of a formula 
using approximants, we observe that, whenever a finite GTS satisfies a formula cp, it is witnessed by a 
least-fixpoint free syntactic approximant. These syntactic approximants can be obtained by successive 
unfoldings of 11 -variables of (p. 

By y((p) we will denote the set of all variables occurring in cp, and Sub(<p) will denote all subformu- 
lae of (p. We will call a formula cp well-formed, if for every X G there is at most one subformula 

oX.yx G Sub(<p). For a well-formed formula (p, the unfolding of a bound variable X £ y((p), denoted 
by unfold,p(X), is the formula yx such that aX.yx £ Sub(<p). The set of bound /^-variables (resp. 
v-variables) of a well-formed formula (p is denoted with ^((p) (resp. Y v ((p))- 

We first provide an auxiliary notion, namely the approximant of a formula with respect to one fixed 
jl -variable. 



Definition 14 Fix a closed formula y G «Sf^. Let (p G Sub(y) be a subformula of y and let k G N be a 
positive natural number. Let 7 be a word over N; we will use it as a subscript in recursion variables to 
ensure well-formedness by introducing unique names. We will use the convention that the variables X,Y 
range over the variables of the original formula y; in the definition below, they are formally identified 
with X e ,Y e , where e denotes the empty word. A simple k-th approximant of (p with respect to X G Y^, 
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denoted approx-var^'* (9), is defined as follows: 



approx-var^' (X 7 ) = _L 



approx-var^' (/rf 7 .<p) = _L 

approx-var^'* (<p) = <p «p G {T, _L} U Lit 

approx-var^ * (<pi <\>i) = approx-var" (<pi ) approx-var" ((fe) © G { A , V } 

approx-var" (*<p) = ★ approx-var" (<p) *G {<>,□} 

approx-var^'*(aF r .<p) = a J^. approx-var^'* (<p) 7/X,(ie{|i,v} 

approx-var^'* (X r ) = approx-var^/* 1 (unfold V (X)) 

approx-var*'* (y r ) = Y yk Y^X 

Note that in the above definition, the original formula y is kept as a parameter of the approx-var opera- 
tor, so that we are able to retrieve the unfolding of the recursion variable X in 

Proposition 2 For any well-formed formula y G J^, jlX.tyx G Sub(i//) and any k G N, the -calculus 
formula approx-var" (jj,X .(px) is well-formed. 

Proof: We use induction on k. 

• Base case: trivial. 

• Induction. Observe that approx-var" +1 (jj,X.(px) preserves the structure of q>x apart from the oc- 
currences of X, which are unfolded with the "lower" approximants. Since IJ.X.(px is well-formed, 
the only place where duplicate definition of recursion variables could occur are the unfoldings. 
However, the indexing scheme guarantees that recursion variables defined in the lower approxi- 
mants have different names. Together with the inductive assumption, this yields well-formedness. 

□ 

We are now in a position to define the general syntactic approximants of a }X -calculus formula, which 
are constructed by unfolding every \i variable a finite number of times (specified for each variable by a 
function a), so that the resulting formula is least-fixpoint free. 

Definition 15 For a given formula (p G Jzf M and a : (<p) — > N we define an approximant of (p, denoted 
with approx(<p, a) as: 

approx(approx-var^ ,o: ^' (<p) , a) if X y G ^ (<p) for some y G N* and 

->3Yy G r^((p).nX r (p' G Sub (unfold,, (fy)) 

cp ifr M (<p)=© 

Intuitively, as long as there are }i -variables in the formula, we take one (say X) such that for some 
7 G N* , X 7 has the outermost occurrence and apply the approx-var operator with X as a parameter, by 
which we obtain a formula that does not contain any variable of the form Xy for any / G N* . 

Proposition 3 For any well-formed formula \jf G Jrf^ and any a : (<p) — > N, approx( y, a) is a well- 
formed and least fixpoint-free -calculus formula. 

Proposition 4 For any GTS M, M \= <p o M |= approx(<p, a), where a(X) = \M\ for every X G ^(<p). 

From the existence of least-fixpoint free approximants we can deduce the following fact: for every 
formula containing a "true" least fixpoint property (p G Jz?^ \ [Jzf^]=, and for an arbitrarily large number 
n G N, we can always find a concrete structure, which needs a GTS of size at least n to prove (p using a 
GTS abstraction. We will use this fact to prove that, assuming that our concrete structures are the most 
general class KS, the completeness set of GTS is exactly the set of least-fixpoint free formulae. First, we 
introduce some auxiliary notation, needed to facilitate proving this result. 



approx(<p, a) = 



62 



Expressiveness and Completeness in Abstraction 



Definition 16 Let & = (<?f, <, |= a ) be an abstraction formalism, and <p E Jz?^ a formula. For an 
arbitrary Kripke Structure i£ E KS we define 



minmodel jr (cp,K) 



inf{\M\ \Me^AK±M\= a (p} if <p E compl(^) 
oo otherwise 



maxminmodeljr(<p) = sup {minmodel^ ((p,K) \ K E KS AK |= <p} 
Lemma 1 For any 9 E \ [^X\=, we have maxminmodelGTs( < P) = °°- 

Proof: Suppose, towards a contradiction, that for some <p E Jzfjx \ \££X\=, maxminmodelGTs(9) = n for 
some n E N. Then for every Kripke Structure K satisfying (p there is a GTS M with a size at most n 
such that K < mix M \= SIS (p. From Prop. [4] we know that M \= SIS q> implies that M |= approx(<p, <X\ M \ ) 
(where a\ M \(X) = \M\ for allX E ^(<p)), and hence K \= approx(<p,a| M |). This is because of the fact 
that mixed simulation preserves properties of abstract models to concrete, i.e. the soundness. From 
the above observations we obtain that for every K E KS, we have K |= (p 44> K |= approx((p, (X\ M \), so 
cp = approx(<p, (X\m\)- But approx(ip, (X\ M \) E , hence (p E [-Sf^]=, a contradiction. □ 

We are now ready to give the exact characterisation of the completeness set of GTS, in case concrete 
structures are the most general class KS. 

Theorem 5 For the general class KS, where an arbitrary, possibly infinite number of initial states is 
allowed, the class of formulae for which GTSs are complete, is, up to semantic equivalence, exactly Jzf^, 
i.e. compl((KS, GTS, < mix , \= SIS )) = [J^%. 

Proof: The fact that Jf* C compl((KS, GTS, < mix , \= S1S ) ) follows from the known result that GTSs are 
complete for Jzf^ HI . To prove the inclusion in the other direction, we proceed by contradiction. Assume 
that <p E (J^ \ [J2£y ncompl((KS,GTS, < mix , \= SIS )). 

Since (p is satisfiable, there is a KS ^1 such that K\ |= (p, and from (p E compl((KS, GTS, < m i x , \= SIS 
) ) there exists a model Mi E GTS of size n\ such that K\ < m!X M\ \= SIS (p. Assume that M\ is the smallest 
GTS with this property. Because (p E (Jr?^ \ [«Sf^]=), we know from Lem.[T]that maxminmodelGTs(9) = 
00, so there is some KS K2, for which the corresponding smallest GTS M2 proving (p has size n% > n\. We 
can continue this construction ad infinitum, obtaining a sequence (Ki,Mi,ni), such that Kj \= cp, K) < m j x 
Mi \= SIS (p, Mi is the smallest GTS proving (p on K t and tii = |M/|. 

Let us now define K = U^i^ with S° = \JT=i ^- Since for all K t \= <p, we have for all i E N, 
s E s \= cp, therefore K |= (p. Since GTSs are complete for cp, there is some M E GTS such that 
K <,„i X M \= SIS (p. But this means that for all i E N minmodelGTS^)^) < |-^1> a contradiction. □ 

Note that in the proof of the above theorem, it is essential that one is allowed to have an infinite set of 
initial states. If we restrict to Kripke Structures with only finitely many initial states, then we obtain a 
richer completeness set. We can consider two subcases, depending on whether the concrete structures 
are finitely branching or not. While we believe that it is difficult to provide an exact characterisation of 
completeness sets in these cases, we can at least prove that the completeness hierarchy is strict. 

By KS/j we denote the subclass of KS with finitely many initial states; by KS fb we denote the 
subclass of KSy,-, consisting of finitely branching structures. 

Theorem 6 We have both compl((KS,GTS, < mix , |= 575 )) C compl((KS /7 ,GTS, < mix , |= s/5 )), and 
compl((KS /( -,GTS,<™„|= s/5 )) C compl((KS /fo ,GTS,< m , r , 

Proof: Obviously, smaller classes of concrete structures give rise to larger completeness sets in general. 
That the inclusions are strict, can be proved with the following counterexamples. 



Maciej Gazda and Tim A.C. Willemse 



63 



. compl((KS,GTS, < mix: \= s,s )) C compl^KS^GTS, < mix , \= SIS )): 

By Thm.[5j it suffices to show that there is at least one "true" least fixpoint formula that belongs to 
compl((KS«, GTS, < m , x , \= SIS ))- Consider the simple reachability formula (p = nX.PV ()X and 
suppose that K \= SIS (p. Then a state labelled with P is reachable from every initial state with a 
finite number of steps. For any state s of K, let STEPS (s) denote the minimal path length from 
j to a P-labelled state, and let n be the largest value of STEPS(s°), among all initial states s°. 
We can group the states together according to the value of STEPS (s), and collapse all states with 
STEPS (s) > n into one abstract state. We complete the construction of the KMTS by adding must 
transitions corresponding to decrementing STEPS (s), and may transitions whenever necessary. It 
is not too hard to see that such an KMTS mixed simulates K and allows to prove (p. 

• compl((KS /; ,GTS, < mix , |= 5/5 » C compl((KS /fo ,GTS, < mix , \= SIS )): 

Consider a formula expressing that all computations terminate: (p = nX.OX. Firstly, observe 
that there exists an infinitely branching model with one initial state, on which this property holds 
but cannot be proved with a finite GTS. In its initial state there is a choice between executing n 
transitions for all n£N. Every execution path is bound to terminate, but since GTSs are unable 
to compress the counting of steps, no GTS can finitely approximate this Kripke Structure in a way 
that would allow to prove (p. 

□ 

5 Conclusions and future work 

Abstraction is often a key instrument for turning intractable model checking problems into tractable 
problems. In the theoretical studies on abstraction frameworks, the expressivity and completeness of the 
frameworks are the main indicators of the power of the frameworks. 

A major problem is that the notion of expressiveness of an abstraction framework is not defined un- 
ambiguously in the literature. Wei et al lfl9l established that using a certain notion of expressiveness, 
the GTS abstraction formalism is equally expressive as the KMTS abstraction formalism. In this paper, 
we showed that using another common notion of expressiveness, occurring in the literature on abstrac- 
tion, the GTS abstraction formalisms is actually strictly more expressive than the KMTS abstraction 
formalism. 

The same paper occasionally uses the notions of completeness and expressivity interchangeably. 
Since both notions are defined differently, we set out to investigate their relations. We proved that only 
under specific conditions, there is a relation between completeness and expressivity. 

Finally, we studied the problem of completeness in more detail. We give tighter characterisations of 
the completeness of the GTS framework. Among others, we showed that GTSs are complete for exactly 
the least fixpoint-free fragment of the /J. -calculus under the condition that concrete models are Kripke 
Structures with potentially an infinite number of initial states. We showed that these characterisations 
change when imposing different requirements on the concrete models. 

Several lines of future research are still open. For one, it would be interesting to provide conditions 
under which expressiveness and completeness are in some way related. A second avenue of research 
would be investigating exact characterisations of completeness for subclasses of Kripke Structures as 
concrete models. We expect that this is a very difficult, yet challenging problem to solve. 
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